Lavasoft Security Bulletin: January 2014
Top20 Blocked Malware
| Position | Ad-Aware detection | % of all threats |
| 1 | Win32.Trojan.Agent | 80.10% |
| 2 | Trojan.Win32.Generic!BT | 8.10% |
| 3 | Malware.JS.Generic | 3.34% |
| 4 | Heur.HTML.FakeLiker | 0.96% |
| 5 | Virus.VBS.Ramnit.a | 0.66% |
| 6 | Email-Worm.Win32.Brontok.a | 0.62% |
| 7 | Trojan.Win32.Generic.pak!cobra | 0.47% |
| 8 | Trojan-Downloader.Win32.Agent.ckhe | 0.29% |
| 9 | Trojan.Win32.Generic!SB.0 | 0.26% |
| 10 | Worm.LNK.Jenxcus.aha | 0.26% |
| 11 | Virus.Win32.Sality.at | 0.23% |
| 12 | HackTool.Win32.Keygen | 0.23% |
| 13 | Trojan.Win32.Zbot.aba | 0.19% |
| 14 | FraudTool.Win32.InternetProtection.ek!a | 0.19% |
| 15 | Trojan.Win32.Jpgiframe | 0.19% |
| 16 | Virus.Win32.Sality.ah | 0.15% |
| 17 | Worm.Win32.Autorun.ftc | 0.15% |
| 18 | Trojan.Win32.Ramnit.c | 0.14% |
| 19 | Backdoor.Win32.Bifrose.fsi | 0.10% |
| 20 | Win32.Backdoor.Inject/C | 0.09% |
The Top 20 malicious programs blocked on PCs
Malware Prevalence Table - January 2014
The table below ranks the most prevalent families seen in January.
| Position | Ad-Aware detection | % of all threats |
| 1 | Trojan.Win32.Generic!BT | 35.97% |
| 2 | Trojan-Downloader.Win32.LoadMoney.u | 12.95% |
| 3 | Virus.Win32.Virut.ce | 7.41% |
| 4 | Virus.Win32.Expiro.gen | 5.29% |
| 5 | Trojan.Win32.Ircbot!cobra | 3.67% |
| 6 | Trojan.Win32.Generic.pak!cobra | 1.48% |
| 7 | Trojan.HTML.Ransomware.b | 0.87% |
| 8 | Trojan.Win32.Generic!SB.0 | 0.76% |
| 9 | Trojan.Win32.Loadmoney.aa | 0.57% |
| 10 | Trojan.Win32.DelfInject.m | 0.30% |
| 11 | Trojan.Win32.Zbot.aba | 0.29% |
| 12 | Win32.Malware!Drop | 0.27% |
| 13 | Malware.JS.Generic | 0.25% |
| 14 | Trojan.Win32.DotNet.c | 0.25% |
| 15 | Trojan.Win32.ZAccess.ma | 0.24% |
| 16 | Trojan-Downloader.Win32.Wauchos.la | 0.23% |
| 17 | Trojan.Win32.Autorun.dm | 0.23% |
| 18 | Trojan.MSIL.Bladabindi.agxy | 0.19% |
| 19 | Trojan-Spy.Win32.Usteal.da | 0.19% |
| 20 | FraudTool.Win32.FakeRean | 0.06% |
New malicious programs entering the Top 20
A new Fake-AV interface named ‘Windows Diagnosis’ was discovered in the wild in January. It falsely claims that a user’s computer has security problems which are supposedly fixable with the help of paid technical support. It is detected by Ad-Aware as Adware.Generic.647515.
Fake AV (MD5: 342d20129481c90298dcb722c1f68c6c) is detected by Ad-Aware as Adware.Generic.647515
Bots Review
Table: Bots under analysis (January 2014, Lavasoft MAS).
| Bot's name | Dec 2013 | Jan 2014 | Changes |
| Zbot | 499 | 259 | -38.8% |
| Cycbot | 30 | 17 | -2.1% |
| Kelihos | 224 | 193 | -5.0% |
| NrgBot/Dorkbot | 195 | 145 | -8.1% |
| Blazebot | 0 | 1 | 0.2% |
| Shiz | 7 | 5 | -0.3% |
| Total | 1580 | 1045 |
Bot distribution in January:
Kelihos
The kelihos download URL can be easily recognized using the following url mask:
http://[IP Address]/mod[id]/[file name].exe
For example:
hxxp://123.240.9.110/mod2/tayran1.exe
hxxp://126.117.193.122/mod1/tayran1.exe
hxxp://89.47.95.27/mod1/yanicha.exe
This month we have the following file names mentioned in URLs that download Kelihos updates:
ssk0001.exe, ramps01.exe, tayran1.exe, keybex1.exe, gnomrea.exe
You can find the latest description on Kelihos here.
Cycbot. You can find the latest description on Cycbot here.
Shiz. The activity of the backdoor goes down. The latest example is here.
Zbot. You can find the latest description on Cycbot here
NrgBot/Dorkbot. The latest description shows that it is capable of running on Windows 7 64-bits, where it starts 32-bits mspaint.exe process and injects its code into the Paint process.
Rbot.
In January, Lavasoft’s Malware Analysis System continued to detect Rbot activity. At the time of writing the latest version of Rbot still connected to C&C "videos.p0rn-lover.us", which sends commands to tandem IRC bots.
The commands sent to IRC bots in January 2014 are:
In addition we discovered a new IRC channel ##USA:
The following files were downloaded by URLs in channels:
ftp://{censored}:{censored}@178.33.232.15:8989/sys.exe
The file is 581182 bytes in size (MD5: 87bdba077896af4cd51a2bfc3d0c080a).
hxxp://www.dropbox.com/s/riiuyej7lza32i3/ms.exe?dl=1
The file is 493122 bytes in size (MD5: 3dd4700eaeecf9d09f2816850d1be03a).
During the month we detected eight successful downloads from Dropbox by Rbot and other malware. We see that popular file sharing services are still in use by malware despite the security control measures implemented by the affected service providers.
Source: grahamcluley.com
SpyEye.
One of SpyEye actors, Aleksandr Panin, pleaded guilty in Atlanta, US on 28th of January 2014.
The SpyEye trojan described in Malware Encyclopedia here and here was the second most prevalent banking trojan after Zbot (Zeus backdoor).
Source: bbc.co.uk
In 2011 SpyEye attacked Android devices and became capable of bypassing TFA of online banking services.
During the investigation the FBI managed to locate the SpyEye C&C server which “contained the full suite of features designed to steal confidential financial information, make fraudulent online banking transactions, install keystroke loggers, and initiate distributed denial of service (or DDoS) attacks from computers infected with malware”. Panin was caught when selling new versions of SpyEye on hacker forums. The price of the trojan varied from $1500 to $8500.
It was not the first case where SpyEye developers were arrested. In summer 2012 three cyber criminals were arrested in connection with the SpyEye botnet.
In Spring 2013 Hamza Bendelladj of Algeria was also arrested in Thailand and brought to justice in the US for running the SpyEye botnet that stole money from victims’ bank accounts.
Top20 Potentially Unwanted Programs
Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.
| Position | Ad-Aware detection | % of all threats |
| 1 | Conduit | 25.37% |
| 2 | MyWebSearch | 16.02% |
| 3 | Adware.JS.Conduit | 13.45% |
| 4 | Win32.PUP.Bandoo | 7.84% |
| 5 | Adware.Linkury | 5.01% |
| 6 | Adware.DealPly | 2.32% |
| 7 | Adware.Agent | 2.29% |
| 8 | Win32.Toolbar.Iminent | 2.21% |
| 9 | Crossrider | 2.02% |
| 10 | InstallCore | 1.58% |
| 11 | SweetIM | 1.31% |
| 12 | Iminent | 1.10% |
| 13 | Amonetize | 0.98% |
| 14 | Opencandy | 0.90% |
| 15 | Win32.Adware.Agent | 0.88% |
| 16 | CoolMirage Ltd | 0.85% |
| 17 | DomaIQ | 0.84% |
| 18 | Besttoolbars | 0.73% |
| 19 | Babylon | 0.67% |
| 20 | Yontoo | 0.61% |
Top20 PUPs detected on user’s PC
Operating Systems
Infections by OS
Geographic Location
Infections by country of origin
We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.
Share this post:
Twitter
Facebook